It seems that governance is all the rage these days. Every identity and access management vendor is jumping on the governance bandwagon, and rightfully so. The key activities that make up governance are becoming more and more critical to a successful security and compliance program. Those activities are:
- Provisioning – making sure that the access rights assigned to each individual are appropriate for that individual and follow well-thought-out security policy
- Attestation/Recertification – enabling the business to accurately and completely certify to the appropriateness of the access that has been provisioned
- Audit – proving that numbers one and two are happening in an acceptable and reportable manner
Those things must happen across the COMPLETE range of access:
- End user access to applications
- End user access to unstructured data
- Privileged user access to administrative accounts.
So those of us on the bandwagon will talk about whatever we do. This results in provisioning vendors talking about provisioning as the lynchpin in governance, and attestation vendors pushing the specific area of strength for them – some for users others for data – and privileged account management vendors trying to squeeze some governance goodness out of an entirely tactical solution that was never designed for governance in the first place.
The victim is you… the one that needs to do governance. In reality, no matter what any vendor tells you, governance is provisioning, attestation, and audit and it must apply to all three access types. Eventually everyone will have to deal with all of them. It’s just a question of going piecemeal and hoping for the best or going unified and front-loading for success.
Without fail, the organizations that have had the most success with governance have taken this unified and holistic approach. In the new eBook called Governance the Elusive Last Mile of IAM, I’ve detailed the common pitfalls that stand in the way of governance success and outlined the steps that you can take to avoid them and become one of the successful few.
For a hands-on journey into this type of governance success, check out the virtual trial of One Identity Manager.